Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Lookup issues

ipops
Path Finder
‎08-26-2016 03:28 AM

Having issues getting the NANP app to work (https://splunkbase.splunk.com/app/1515/)

I have the following search but it does not return any lookup fields

sourcetype=ivrdata | eval {message}=varValue | stats first(LogTimestamp) as Time values(Phone) as phone values(Platform) as Platform by IVR_SessionID | WHERE Platform="FWA" | table areacode city latitude longitude

This search returns a phone number in the 1234567890 format as the "phone" field. Any idea what I am doing wrong here?

Here are the relevant files

props.conf

[ivrdata]
LOOKUP-ac = AreaCodeLookup areacode AS phone OUTPUTNEW city country latitude AS _lat longitude AS _lng region
REPORT-ac = getareacode

transforms.conf

[getareacode]
REGEX = phone_no="?(\d{3}\d{3})
FORMAT = areacode::$1

Sample of areacode_latitude_longitude.csv

areacode,city,region,country,latitude,longitude
201200,Jersey City,NJ,US,40.7280556,-74.0780556
201202,Hackensack,NJ,US,40.8858333,-74.0438889
201203,Hackensack,NJ,US,40.8858333,-74.0438889
201204,Jersey City,NJ,US,40.7280556,-74.0780556

Tags (1)
0 Karma
Reply

ipops
Path Finder
‎08-26-2016 08:20 AM

I have removed and reinstalled the NANP app.

It's expecting a phone number in xxx-xxx format

transforms.conf
[getareacode]
REGEX = phone_no="?(\d{3}[-|.]\d{3})
FORMAT = areacode::$1

props.conf
[ivrdata]
LOOKUP-ac = AreaCodeLookup areacode AS phone_no OUTPUTNEW city country latitude AS _lat longitude AS _lng region
REPORT-ac = getareacode

Using the following search but it's not returning any lookup data

sourcetype=ivrdata | WHERE IVR_Message="Phone" | rename IVR_Value AS phone_no | rex field=phone_no mode=sed "s/(\d{3})(\d{3})(\d{4})/\1-\2/g" | table phone_no city country latitude longitude region

any ideas where I am going wrong?

alt text

Preview file
33 KB
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...